Epicurious Has Added a Potential Privacy Violation to Your Facebook Profile!
by John Paczkowski
Posted on December 3, 2007 at 12:01 AM PT
Facebook may be worth $15 billion after all–not in future advertising revenues (which are apparently suffering at the moment), but in future legal fees.
A CA security researcher reports that the
site’s controversial Beacon online ad system, which transforms member transactions on affiliate sites into product/service endorsements, collects information about member actions on affiliate sites even if they’ve opted out of Beacon and logged off from Facebook. Stefan Berteau, senior research engineer at CA’s Threat Research Group, explained how in a post to the CA Security Advisor Research Blog:
I created an account on epicurious.com and tried saving three recipes as favorites. The first recipe was saved while logged in to Facebook in the same browser session. An alert appeared allowing me to opt out of Facebook’s publishing this as a story on my feed, which I did. The second one was saved after I had closed the Facebook window but had not logged out or ended the browser session. The same alert appeared, and I opted out again, selecting ‘No thanks.’ I then closed the browser entirely and launched a new session. After confirming that I was not logged in to Facebook, I saved the third recipe. No alert appeared.
“I then checked the network traffic logs and was dismayed to find that in all three cases, data about where I was on Epicurious, what action I had just taken, and what my Facebook account name is [were] transmitted to Facebook. The first two cases involve the transmission of user data despite ‘No thanks’ having been selected on the opt-out dialog, and are causes for deep concern. They pale, however, in comparison to the third case, where Facebook was receiving data about my online habits while I was not logged in, and was doing so silently, without even alerting me to the cross-site communication.”
Unsettling, such data collection practices. Though Facebook, of course, claims they are all on the up-and-up and conducted with proper privacy safeguards. “When a Facebook user takes a Beacon-enabled action on a participating site, information is sent to Facebook in order for Facebook to operate Beacon technologically,” the company said in response to Berteau’s report. “If a Facebook user clicks ‘No, thanks’ on the partner-site notification, Facebook does not use the data and deletes it from its servers. Separately, before Facebook can determine whether the user is logged in, some data may be transferred from the participating site to Facebook. In those cases, Facebook does not associate the information with any individual user account, and deletes the data as well.”
